Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc8e39d816500ca5…

MALICIOUS

PDF

58.6 KB Created: 2021-09-08 08:27:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: d9b85d9e32c6b3f8bb034b13c9064064 SHA-1: dcf975a62f1c450653e8f9f5d6252b3c11d070ab SHA-256: dc8e39d816500ca5f0d9f9ed878132716d5457b742ed81a0d1c424e4a42728e2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, many of which point to compromised or disposable hosting, suggesting a malicious intent to redirect users. The ClamAV detection and ML classifier further support its malicious nature. The primary attack pattern observed is the use of a link farm within the PDF to lure users to potentially harmful external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6398

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://alihuata.com/userfiles/file/faketanigak.pdf
    • http://ofipapel.org//ckfinder/userfiles/files/65725166884.pdf
    • http://fujieshubao.com/zk/UploadFile/file/2021081512083173499.pdf
    • http://suachuaspa.com/upload/images-content/files/96231731308.pdf
    • https://ebal.ro/app/webroot/files/userfiles/files/35440148858.pdf
    • http://infinity-pro.ru/userfiles/file/57302453663.pdf
    • http://blesk-stroy.ru/userfiles/files/77026507633.pdf
    • http://arslanemlak.com/E/file/20687539982.pdf
    • https://thefencedocumentary.com/adminfiles/file/givizixifijudofutumog.pdf
    • http://puntolinea.org/userfiles/files/64409039597.pdf
    • http://portakalweb.net/home/portakal/public_html/ckfinder/userfiles/files/91398692488.pdf
    • http://bilagroup.com/wp-content/plugins/formcraft/file-upload/server/content/files/160fc8713e2287---zexiw.pdf
    • http://clearlakesd.org/wp-content/plugins/formcraft/file-upload/server/content/files/160c5ffc14740a---jaluniw.pdf
    • http://nkcophs50threunion.com/clients/0/01/014062e559e26c1cf0711bcec4e573ae/File/ragumawewigim.pdf
    • http://dubilex.com/userfiles/files/ranuxifezuliba.pdf
    • http://www.infranetltd.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d5cd9ea0f3---39749863139.pdf
    • http://automozg.by/upload/editor/files/5901508130.pdf
    • https://investir-petroleo.pt/ckfinder/userfiles/files/buwer.pdf
    • https://red-adlay.com/upload/files/14622604937.pdf
    • http://ontsgoi.shop/uploads/files/48954336297.pdf
    • http://www.mtpartnersfl.com/wp-content/plugins/formcraft/file-upload/server/content/files/160975698e48c5---buwenifinitebulodeborepeg.pdf
    • https://yarsan.ru/wp-content/plugins/super-forms/uploads/php/files/395256102c1f6dc839d49561a764ab81/mudagiza.pdf
    • http://www.agenbenangbandung.net/file/dokile.pdf
    • http://bikipvuikhoedep.com/app/webroot/files/editor_upload/files/bijexesasezanuz.pdf
    • https://jollytime.ru/wp-content/plugins/super-forms/uploads/php/files/a336d1a423f5306f6ef22a26730c065f/39943180362.pdf
    • https://canadiancontractorservices.com/wp-content/plugins/super-forms/uploads/php/files/4lgf38jjmu2b0l5rb34a3c8ob1/vukemuronodoxigib.pdf
    • https://danfort.lv/userfiles/file/72778737191.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/ngfLrbzwjls/uplcv?utm_term=lion%27s+choice+nutrition+pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c29e.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC29E 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.